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Claims 

1. An comprising a network adapted to allow systems to connect to the network 
via edge routers of the network, and further adapted to assign at least some of said systems 
to specified VPNs, which network includes collection of one or more devices that operates 
to insure that systems A and B of said systems that are each assigned to one or more VPNs 
but which have no commonly assigned VPN cannot communicate with each other, the 
improvement comprising: 

a controller that (1) detects an identified application, executed an element of said 
arrangement, which calls for communication between system A and system B, and (2) 
authorizes such communication when said identified application is included in a set of one 
or more allowed applications, by directing said collection to modify itself to enable said 
communication between system A and system B. 

2. The arrangement of claiml where said element of said arrangement is system A 

3. The arrangement of claiml where said element of said arrangement is system B. 

4. The arrangement of clam 1 where said collection comprises said edge routers. 

5. The arrangement of claim 1 where said collection comprises VPN routing and 
forwarding tables, one within each of said edge routers. 

6. The arrangement of claim 1 where said network is an MPLS network. 

7. The arrangement of claim 6 where said collection comprises VPN routing and 
forwarding tables, one within each of edge routers of said network, and said controller 
directs an edge router of said edge routers though which system A is connected to said 
network to modify its routing and forwarding table, and directs an edge router of said edge 
routers though which system B is connected to said network to modify its routing and 
forwarding table. 



8 



Iloglu 2003-0125 



8. The arrangement of claim 1 where said identified application is voice over IP 
and voice over IP is one of said allowed applications. 

9. The arrangement of claim 1 where said identified application is video over IP 
and video over IP is one of said allowed applications. 

10. The arrangement of claim 1 where said controller comprises a route server and 
a call control element. 

11. A method executed in an arrangement including a network that supports 
assigning systems to specified VPNs, which systems connect to edge routers of the 
network, which network includes collection, comprising one or more devices, that operates 
to insure that systems A and B of said systems that are each assigned to one or more VPNs 
but which have no commonly assigned VPN cannot communicate with each other, 
comprising the steps of: 

receiving a message from an application of a type for which inter- VPN 
communication is allowed, indicating a desire to establish communication between said 
systems A and B; 

directing said collection to install a modification having whose effect is to allow 
communication between said systems A and B; and 

directing said collection to remove said modification at a later time to reinstate 
prohibition against communication between said systems A and B. 

12. The method of claim 11 where said application is voice over Internet or video 
over Internet. 

13. The method of claim 12 where said directing said collection to remove said 
modification occurs substantially contemporaneously with termination of said voice over 
Internet or video over Internet communication. 
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14. The method of claim 11 where said directing said collection to install a 
modification comprises the steps of: 

installing a entry X in a table of an element that of said collection that is charged 
with blocking traffic so that that no traffic is carried from, system A from a system that is 
assigned to a VPN to which system A is not assigned, which entry nullifies said blocking 
relative to system B, and 

installing a entry Y in a table of an element that of said collection that is charged 
with blocking traffic so that that no traffic is carried from, system B from a system that is 
assigned to a VPN to which system B is not assigned, which entry nullifies said blocking 
relative to system A. 

15. The method of claim 14 where 

entry X includes a criterion that nullifies said blocking only relative to traffic 
pertaining to said application, and 

entry Y includes a criterion that nullifies said blocking only relative to traffic 
pertaining to said application. 

16. The method of claim 11 where said collection is said edge routers of the 
network. 

17. The method of claim 11 where said directing said collection to install a 
modification comprises a step of installing a entry in a VPN route and forward (VRF) table 
that is associated with edge router A of said edge routes through which said system A is 
coupled to said network, and installing an entry in a VRF table that is associated with edge 
router B of said edge routes through which said system B is coupled to said network. 

18. The method of claim 17 where said entry that is installed in said VRF 
associated with said edge router A comprises an indication that system B belongs to a VPN 
to which system A belongs, and said entry that is installed in said VRF associated with said 
edge router B comprises an indication that system A belongs to a VPN to which system B 
belongs. 
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19. The method of claim 18 where said entry that is installed in said VRF 
associated with said edge router A further comprises a route indication for reaching system 
B, and said entry that is installed in said VRF associated with said edge router B further 
comprises a route indication for reaching system A. 

20. The method of claim 18 where said entry that is installed in said VRF 
associated with said edge router A further comprises a route criterion for limiting traffic 
that is destined to system B solely to traffic that pertains to said application. 

21. A method executed in an arrangement including a network that supports 
assigning systems to specified VPNs, which systems connect to edge routers of the 
network, which network includes collection, comprising one or more devices, that operates 
to insure that systems A and B of said systems that are each assigned to one or more VPNs 
but which have no commonly assigned VPN cannot communicate with each other, 
comprising the steps of: 

receiving a message from a indicating a desire to establish communication between 
said systems A and B pursuant to an identified application; 

determining whether to authorize said communication; 

when said step of determining permits such communication, directing said 
collection to allow said communication. 
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